5 Answers
5

Essentially it depends on the attacker and what resources they have available. Ordinary home-users or attackers who aren't very dedicated might be deterred by source IP address blocking, but more advanced/determined attackers have a number of ways to get round this.

The obvious one is to use one of the wide range of proxy services available on the Internet. This includes things like ToR and Anonymizer.com. Since one of the goals of these services is to mask the source IP address of the user, they will bypass the block until the attacker tries enough attempts with a given IP and gets blocked again.

As an interesting aside, the attacker could cause a partial DoS to your application by going round enough of these sites, as any of your other users who make use of those services will be blocked, once you block the IP addresses belonging to them.

On top of online services, the attacker could do things like use Wi-Fi hotspots or college/university networks to get access to more source IPs

So essentially this blocking would make things more awkward but wouldn't stop a determined attack.

@devnul3 There's no guarantee that will work, my ISP gives a new IP address if you use a router with a new mac address or are disconnected for around 3 weeks.
–
R4D4Mar 23 '12 at 10:57

@R4D4 I'm saying that if you get your IP blocked you can do that (possibly spoofing the external MAC, which most home routers support (and in some cases support RESTfully, so you can script it)) in order to bypass the block. I figured the YMMV was implied :)
–
devnul3Mar 23 '12 at 15:23

It depends on the filtering policy. If it's an explicit deny, whereby only authorised users [and thus IPs] are added to a whitelist, it can be quite an effective layer of security.

In this scenario, an attacker would need to compromise an allowed host in order to connect to the site. The size and nature of the authorised user-base will determine how difficult this is. Sites which contain licensed content often use this type of access control.

Also note, this does not describe a bullet-proof security control. As such, it should be one layer of a greater defence in depth security model.

Where's it's a blacklist configuration, the situation is much different. The other answers describe this scenario quite well.

Dynamic IPs are used by a lot of ISPs. I have one, for example. This means that as soon as I reboot my router (which is trivial, just powering it off and on will do, and some people do power off theirs) I get a new IP address.

This also means that somebody else will get my old IP, so the guy will be blocked from your website for no reason. Also, it is possible to script all of this up, so if the "attacker" (read: script kiddie) knows how to craft a batch file, there goes your IP banning.

Bottom line: it is not only trivial to bypass this, but using it can even harm legit users.

Spoofing an IP address won't work very well for HTTPS since you need to make a proper 2 way connection first - you can't do that if the responses are getting sent to the wrong address.

People on most DSL connections can simply reboot their modem/router to get a new IP address. So they can keep trying. And botnets have hundreds of IP addresses to try from. So it doesn't do much to stop them.

It can also cause problems if someone decides to take advantage of the IP blocking. Some ISPs like AOL have all their customers behind NAT and going out to the internet on only a few IP addresses. Blocking one of those will prevent any other legitimate people from logging in. Same goes for most large offices and schools - a single IP address could really be 1000 users.